Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Debian struggling with security

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Debian struggling with security
Date: Wed, 6 Jul 2005 04:45:03 -0500 (CDT) 
http://news.zdnet.co.uk/software/linuxunix/0,39020390,39207235,00.htm

Renai LeMay
ZDNet Australia
July 05, 2005

Debian is facing difficulties getting timely security updates to users
of its Linux distribution due to lack of manpower and software
problems.

The issues recently surfaced when Debian released the latest version
of its Linux distribution early in June, according to Martin Schulze,
a member of the organisation's security team.

That release, Schulze wrote on his blog, caused configuration problems
on the server which was responsible for distributing security updates
-- and it hasn't been functioning properly since. "Several security
updates aren't built on all architectures as they should be," the
developer wrote only yesterday. "Currently, it's totally unreliable."

Lack of manpower also appears to be adding to Debian's security woes.  
Michael Stone, another member of Debian's security team, expressed his
frustration to the organisation's security e-mail mailing list in
mid-June, saying there was no effective tracking of security problems.

The problems have seen Debian fall behind competitors like Red Hat in
releasing updates to widely-used programs. For example, although
spam-filtering package SpamAssassin was updated by its creator to fix
a remote denial-of-service vulnerability on 6 June, Debian provided
the update on 1 July, while Novell's SuSE got the fix a week earlier
on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still
earlier on the 16th.

A similar situation occurred when the 'sudo' package needed an update
in mid-June. In addition a number of security-related bugs are listed
on Schulze's Web site as being unfixed, although the site also notes
the data may be inaccurate as it is automatically generated.

Although Debian's infrastructure problems have not been as prominently
discussed as the manpower issues on the project's mailing lists,
giving some developers more authority is one idea that has been
discussed as a way of speeding up the release of security updates.

As one developer put it: "The problem we're currently seeing isn't
that the job is hard, but that only a very small number of people have
the authority/ability to push the update out."

Another agreed, calling for the size of the security team to be
increased from seven to 21.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Debian struggling with security, InfoSec News <=
Previous by Date:  [ISN] Jackson hackers tell how they got access, InfoSec News
Next by Date:  [ISN] 'Hunting season' for computer attackers, InfoSec News
Previous by Thread:  [ISN] Jackson hackers tell how they got access, InfoSec News
Next by Thread:  [ISN] 'Hunting season' for computer attackers, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]